CVE-2024-50148 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled, OT security teams managing Bluetooth-capable industrial devices, and Linux kernel maintainers supporting Bluetooth networking stacks in embedded industrial environments.

Technical summary

The vulnerability exists in the Bluetooth BNEP protocol implementation within the Linux kernel. The bnep_init() function fails to check the return value of bnep_sock_init(), which can fail and perform resource cleanup. When the BNEP module is subsequently removed, bnep_sock_cleanup() attempts to clean up socket resources that have already been freed, resulting in wild memory access. The fix involves properly propagating bnep_sock_init()'s return value through bnep_exit() to prevent the cleanup sequence from executing on failed initialization. This is a local vulnerability requiring low privileges, with exploitation leading to denial of service through system crash.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
• Implement application whitelisting to ensure only trusted applications are built and executed on the GNU/Linux subsystem
• Monitor for anomalous Bluetooth module loading/unloading activity on affected systems
• Apply vendor patches when released by Siemens
• Review and implement CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

Vulnerability description sourced from CISA CSAF advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. CVSS vector confirmed as CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Affected product identified through CSAF product tree as SIMATIC S7-1500 TM MFP - GNU/Linux subsystem. Remediation status confirmed as 'none_available' in source advisory.

Official resources